Database Security Digest – January 2017

Here are the most noticeable cyber-attack and database security related news.

For MongoDB users, the year started with huge risks. More than 28,000 hijacked MongoDB databases are reported. MongoDB is a free and open-source NoSQL RDBMS. Attacks are performed by various groups using simple scripts exploiting misconfigured MongoDB deployment. Ransomware wipes the database and asks for $100-500 to get it back. The script is useful only for those MongoDB databases that have a default or easy-to-guess password on the administrator account and can be accessible via the Internet. There is also information about occurring Hadoop and CouchDB attacks performed by the same scheme. The common issue of victims is claimed to be default configuration that can allow access without authorization. The security of these platforms is not the issue, the problem occurred due to surprisingly many companies neglected the very basics of the database security. Companies that didn’t backup databases have lost their data for goods, as most of the attackers do not retrieve stolen data even after receiving the payment.

ESEA video gaming community has been breached. 1.5 million accounts are compromised including usernames, email addresses, hashed passwords, birthdates and phone numbers. The company didn’t store payment information and account passwords were encrypted with bcrypt.

Indian banks encountered a problem with the SWIFT, which is a system used to secure financial transactions. There were no money losses but it could have been used for fraudulent duplication of trade documents. Forensic audit is being performed.

Database Security

Oracle started this year with regular Critical Patch Update Release fixing 270 vulnerabilities across various platforms. The original risk matrix can be found here.

MySQL

The Critical Patch Update contains 27 security fixes for Oracle MySQL. 5 of these vulnerabilities can be exploited over a network without requiring user credentials.

CVE #CVSS ScoreComponentDescription
CVE-2015-75018.8MySQL Enterprise Monitor: GeneralEasily exploitable vulnerability that allows a low privileged attacker with the network access via TLS to take over the MySQL Enterprise Monitor component.
CVE-2016-06358.8MySQL Enterprise Monitor: GeneralEasily exploitable vulnerability that allows a low privileged attacker with the network access via TLS to take over the MySQL Enterprise Monitor component.
CVE-2016-07148.8MySQL Enterprise Monitor: GeneralEasily exploitable vulnerability that allows a low privileged attacker with the network access via TLS to take over the MySQL Enterprise Monitor component.
CVE-2016-55414.8MySQL Cluster: NDBAPIAllows an unauthenticated attacker with the network access via multiple protocols to compromise the MySQL Cluster component. Successful exploitation can result in unauthorized update, insert or delete access of some of MySQL Cluster accessible data and unauthorized ability to cause partial denial of service of MySQL Cluster.
CVE-2016-55907.2MySQL Enterprise Monitor: AgentEasily exploitable vulnerability that allows a high privileged attacker with network access via TLS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor.
CVE-2016-63047.5MySQL Enterprise Monitor: GeneralEasily exploitable vulnerability that allows an unauthenticated attacker with network access via TLS to compromise the MySQL Enterprise Monitor component. Successful exploitation can result in unauthorized ability to cause hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor component.
CVE-2016-83186.8MySQL Server: EncryptionEasily exploitable vulnerability that allows a low privileged attacker with the network access via multiple protocols to compromise MySQL Server. Exploitation requires another party apart from the attacker. Attacks may significantly impact additional products. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2016-83274.4MySQL Server: ReplicationDifficult to exploit vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32386.5MySQL Server: OptimizerEasily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32434.4MySQL Server: CharsetsDifficult to exploit vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32446.5MySQL Server: DMLEasily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32514.9MySQL Server: OptimizerEasily exploitable vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32566.5MySQL Server: ReplicationEasily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32576.5MySQL Server: InnoDBEasily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32586.5MySQL Server: DDLEasily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32655.6MySQL Server: PackagingDifficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Exploitation requires another interaction apart from the attacker. Successful exploitation grants an unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32736.5MySQL Server: DDLEasily exploitable vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation allows an unauthorized user to cause hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-32916.3MySQL Server: PackagingDifficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Exploitation requires another party apart from the attacker. Successful exploitation can result in takeover of MySQL Server.
CVE-2017-33126.7MySQL Server: PackagingDifficult to exploit vulnerability that allows a low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Exploitation requires another party apart from the attacker. Successful exploitation can result in takeover of MySQL Server.
CVE-2017-33134.7MySQL Server: MyISAMDifficult to exploit vulnerability that allows a low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful exploitation grants an unauthorized access to critical data or complete access to all MySQL Server accessible data.
CVE-2017-33174.0MySQL Server: LoggingDifficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. The attack requires another interaction apart from the attacker. Successful exploitation allows an unauthorized user to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-33184.0MySQL Server: Error HandlingDifficult to exploit vulnerability that allows a high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. The attack requires another interaction apart from the attacker. Successful exploitation grants an unauthorized access to critical data or complete access to all MySQL Server accessible data.
CVE-2017-33193.1MySQL Server: X PluginDifficult to exploit vulnerability that allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation can result in unauthorized read access to a subset of MySQL Server accessible data.
CVE-2017-33202.4MySQL Server: EncryptionEasily exploitable vulnerability that allows a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation grants an unauthorized read access to a subset of MySQL Server accessible data.
CVE-2017-33213.7MySQL Cluster: GeneralDifficult to exploit vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful exploitation grants an unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster.
CVE-2017-33223.7MySQL Cluster: NDBAPIDifficult to exploit vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful exploitation grants an unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster.
CVE-2017-33233.7MySQL Cluster: GeneralDifficult to exploit vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful exploitation grants an unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster.

 Oracle Database Server

This Critical Patch Update contains 5 new security fixes for Oracle Database Server. 3 of them can be remotely exploitable without authentication.

CVE #CVSS ScoreComponent Description
CVE-2017-32403.3RDBMS SecurityEasily exploitable vulnerability that allows a low privileged attacker having Local Logon privilege with logon to the infrastructure where RDBMS Security executes to compromise the RDBMS Security component. Successful exploitation can result in unauthorized read access to a subset of RDBMS Security accessible data.
CVE-2017-33109.0OJVMEasily exploitable vulnerability that allows a low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. The attack may significantly impact additional products and it requires additional interaction apart from the attacker. Successful exploitation can result in takeover of OJVM.
CVE-2015-17915.6Oracle Secure Backup: OpenSSLDifficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTPS to compromise OpenSSL. Successful exploitation can result in unauthorized update, insert or delete access to some of OpenSSL accessible data, unauthorized read access to a subset of OpenSSL accessible data, and unauthorized ability to cause a partial denial of service of OpenSSL.
CVE-2016-19039.1Oracle Secure Backup: PHPEasily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise PHP. Successful exploitation can result in unauthorized access to critical data or complete access to all PHP accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PHP.
CVE-2015-32539.8Oracle Big Data GraphEasily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise the Spatial component. Successful exploitation can result in takeover of the Spatial component.

Pivotal Greenplum Database 4.3.11.3

A new release of Greenplum Database contains the following changes:

  • The issue of gptransfer occurring when copying tables with multiple distribution keys has been resolved.
  • The query planner might have generated a plan that returned incorrect results for some windows queries. The issue has been resolved.
  • Fails of gpstart/gpstop utilities after a server reboot have been fixed.
  • Performance enhancements of Query Optimizer, Query Planner, Query Execution, Transaction Management, S3 External Tables.
  • Other enhancements and changes regarding the following scripts: analyzedb, Backup, Restore, recoverseg, gptransfer.
Database Security Digest – December
Database Security Digest – November
Database Security Digest – October